Lawmakers push DoD, Energy for answers on IT supply chain security

Jason Miller, executive editor, Federal News Radio

Agencies are facing the growing threat of cyber attack due to weak supply chain controls for technology. Although this lack of oversight and regulations over their suppliers has been a well-known risk for years, departments are only now taking steps to protect themselves.

"IT supply chain related threats can be introduced in the manufacturing, assembly and distribution of hardware, software and services," said Greg Wilshusen, the director of security issues for the Government Accountability Office, Tuesday during a hearing before the House Energy and Commerce Subcommittee on Oversight and Investigations. "These threats include the insertion of harmful or malicious software and hardware, installation of counterfeit items, disruption in the production or distribution of critical products, reliance on unqualified or malicious service providers and installation of hardware or software containing unintended vulnerabilities."

Greg Wilshusen, director of security issues, GAO

GAO reviewed how three civilian agencies — the departments of Energy, Homeland Security and Justice — and the Defense Department secure their supply chains when buying technology.

Wilshusen said DoD is the most advanced, but the other three are just in the beginning stages of their efforts.

"Three of the agencies had not fully addressed federal guidelines," he said. "These guidelines recommend agencies for their high impact systems define supply chain protection measures, develop procedures for implementing them and monitor their effectiveness. Energy and Homeland Security have not yet taken these steps. While Justice has defined supply chain protection measures, including a foreign ownership control and influence review, it has not yet developed implementing procedures or monitoring capabilities."

That worries committee lawmakers.

"I was troubled to find the GAO concluded that DoE had not developed clear policies or defined what security measured are needed to protect against supply chain threats," said Rep. Cliff Stearns (R-Fla.), chairman of the subcommittee. "There appears to be no integrated response among the federal IT enterprise to address the supply chain risk. Agencies are left to their own devices to address this risky and complex threat. I find this very troubling."

Pentagon expanding pilot program

DoD, on the other hand, has been trying to address the security of its supply chain for at least four years. Former Defense Deputy Secretary William Lynn mandated supply chain risk management pilots in 2009 and 2010, and full implementation by 2016 for all national security systems.

"DoD is currently incorporating lessons learned during the piloting phase into permanent policy and practice," said Mitchell Komaroff, the director of Trusted Mission Systems and Networks within the Office of the DoD Chief Information Officer. "First the Defense Intelligence Agency mission to support DoD acquisition with supply chain threat analysis has been made permanent in DoD policy. To date, the DIA has performed approximately 520 analyses for DoD acquisition programs."

The Pentagon also is requiring programs to integrate criticality analysis, use of supply chain threat information, supply chain risk management key practices and hardware and software assurance into program protection.

Additionally, Congress put pressure on DoD in the 2012 Defense Authorization bill. Lawmakers required DoD to put in place a certification process for suppliers and to make vendors pay for replacing counterfeit parts that already have been installed in DoD systems.

Lawmakers now want to apply similar rules for civilian agencies. The Cybersecurity Act of 2012 would require agencies to make sure they buy genuine products from vendors with a secure supply chain.

The Obama administration also is focusing on securing the supply chain. DHS released a national strategy to secure the supply chain in January.

Wilshusen said the biggest threats all agencies face are introduction or insertion of malicious code and the integration of counterfeit items in systems.

A Commerce Department survey of 387 defense industrial base companies in 2010 found 39 percent of them said they encountered counterfeit electronics during a four-year period, and the number of incidents increased 140 percent between 2005 and 2008 to more than 9,000 in 2008 from 3,800 items in 2005.

Another report by GAO released this week found counterfeit parts were rampant in the DoD supply chain. Of the 16 parts requested by auditors from DoD suppliers, none were legitimate.

Komaroff said DoD's strategy for achieving trustworthy systems in the face of supply chain risks includes four principles:

Prioritize scare resources based on mission criticality

Planning for comprehensive program protection by identifying critical components and protecting them from supply chain risk informed by all-source intelligence.

Improving DoD's ability to detect and respond to vulnerabilities in programmable logical elements

Partnering with industry

"The difficulty of mounting and defending against supply chain exploitation focuses supply chain risk management on sensitive, mission-critical systems," Komaroff said. "Accordingly, DoD policy levies additional risk management policies and processes on national security systems. Supply chain risk management represents a sea change in the acquisition process. It requires new institutional relationships between the acquisition and intelligence communities, and the application of operational security to processes that historically we have sought to make transparent. It also requires engineering and test and evaluation capabilities that still the subject of ongoing research."

DoD also led the development of a new policy by the Committee on National Security Systems. The CNSS 505 adopts concepts, lessons learned and strategy elements from the DoD's supply chain risk management (SCRM) strategy and issuances, including elements of the incremental approach to implementing SCRM.

Within the first year after the policy is issued, agencies are to develop an initial SCRM capability, and within six years of the issuance's publication's, agencies are to have developed a full-scale SCRM capability to protect their national security systems. This model has been successful in the DoD, and through lessons learned has set the stage for a successful implementation by interagency.

DoE just getting started

Energy also is trying to address the supply chain risks through the acquisition process.

"Our focus on supply chain is in the broader sense related to the risk management approach the DoE is embarking upon," Vega said. "Recently, in the past year, the DoE has implemented this new risk management approach, which is mission focused and directs those business owners to direct limited resources at the things that are most important to the mission and the most sensitive data."

Vega added his office has issued architecture frameworks that tell business and system owners to account for supply chain risk as part of their overall risk assessment process.

He added Energy also is working closely with its suppliers. A new strategy development effort just got underway this month.

"Some of our vendors have programs to vet their supply chains and some do not," Vega said in response to questions from Rep. Phil Gingrey (R-Ga.). "We are embarking on the process of developing explicit direction to our IT purchasers across the department to do exactly that."

Despite all this concern and effort, neither Vega nor Komaroff said they could point to a cyber problem directly related to the supply chain.

Komaroff said supply chain risk is difficult to discern. Even with weaknesses in a product, he said they can be explained either by a security related defect or failure to close engineering-type back doors.